Today, businesses often rely on customers that access an automated resource in order to receive information, services or products. When a claimant requests access to a resource, he/she must respond to a sequence of questions about information related to a legitimate claimant, called identifiers. The resource has in storage in a trusted, previously-created database the correct responses to each of these identifiers for each legitimate claimant. Identifiers are partitioned into multiple groups, where identifiers in the same group are correlated and identifiers in different groups are regarded as being independent. For example, the identifiers may include just one voice sample, analyzed through voice recognition techniques. This identifier is likely to be regarded as being independent of any other identifier and therefore would be a group by itself. A different group may include dynamic personal identifiers such as last hotel stayed in, last sport event attended, and last show seen, where the dependence among these identifiers reflects the likelihood of a potential impostor having observed these activities by the legitimate claimant or person. Yet another group may include information on personal documents such as driver license number and multiple credit card numbers, and so forth, where the dependence among these identifiers reflects the possibility of a potential impostor having acquired the person's wallet. Some identifiers, such as voice samples or fingerprints, could be treated as providing more reliable identifiers, whereas others, such as credit-cards, do not offer the same degree of certainty, owing to the possibility of stolen or fraudulent cards.
A claimant is probed with a sequence of identifiers. The claimant's response to a single identifier is either a match, a no-match, or ambiguous. A match means the response matches the information in the database, a no-match means that it does not match the response in the database, and ambiguous means that a determination cannot be made of whether the response is a match or a no-match. The latter may occur, for example, when responding to a voice recognition identifier due to noise on the communications line. The probing session terminates either with accepting the claimed identity, thus granting the claimant access to the resource; or with rejecting the claimed identity, thus denying access to the claimant; or with terminating the session inconclusively, thus sending the claimant to further manual interrogation, typically conducted by call center personnel.
L. T. Honarvar, B. R. Witte, S. C. Fatigante, and G. L. Harless, in U.S. patent application Ser. No. 10/224,564, filed Aug. 21, 2002, entitled “User Authentication System and Methods Thereof”, provide a system and method that use multiple groups of identifiers customized for each claimant. An identity is verified based on scoring methods, where a claimant may receive points for each match and lose points for each no-match. Although such scoring methods are very flexible, these methods do not provide quantified guarantees regarding the probabilities of erroneously accepting an impostor or erroneously rejecting a legitimate claimant. Also, these methods do not provide a quantified probability of terminating a session inconclusively.
The present invention provides an adaptive method that would be implemented on an automated system, with quantified performance guarantees, subject to the accuracy of the estimates of the basic probabilities that serve as inputs to the method. Specifically, a potential impostor would be erroneously accepted with a computed probability that does not exceed α (where α is a specified parameter, for example, α=10−6), and a legitimate claimant would be erroneously rejected with a computed probability that does not exceed β (where β is a specified parameter, for example, β=10−5). Moreover, the number of identifiers used in an identity verification session is limited to S (where S is a specified parameter, for example, S=8). Thus, if after probing S identifiers, a claimant cannot be reliably accepted or rejected, the session terminates inconclusively. The method computes the probabilities that a session for a legitimate claimant would grant access, deny access, or terminate inconclusively, and the probabilities that a session for an impostor would grant access, deny access, or terminate inconclusively. These probabilities depend on the specified values of the parameters α, β and S, and facilitate designing the access control for a resource with the appropriate balance among these parameters. These probabilities also provide guidelines for whether better identifiers, with better differentiation between a legitimate claimant and an impostor, are needed. The method is adaptive as the sequence of identifiers probed during a session depends on the responses provided by the claimant. Moreover, an impostor's conditional probabilities of responding with a match or a no-match are recomputed after each response for all correlated identifiers.